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Abstract. IZF is a well investigated impredicative constructive version of Zermelo-Fraen- 
kel set theory. Using set terms, we axiomatize IZF with Replacement, which we call 
IZF_R, along with its intensional counterpart IZF^. We define a typed lambda calculus XZ 
corresponding to proofs in IZF^ according to the Curry-Howard isomorphism principle. 
Using realizability for IZF^, we show weak normalization of XZ. We use normalization 
to prove the disjunction, numerical existence and term existence properties. An inner 
extensional model is used to show these properties, along with the set existence property, 
for full, extensional IZF_r. 



1. Introduction 

Four salient properties of constructive set theories are: 

• Numerical Existence Property (NEP): From a proof of a statement "there exists a natural 
number x such that ..." a witness n G N can be extracted. 

• Disjunction Property (DP): If </> V V' is provable, then either i;^ or ■0 is provable. 

• Term Existence Property (TEP): If 3x. (j){x) is provable, then (j)(t) is provable for some 
term t. 

• Set Existence Property (SEP): If 3x. 4>{x) is provable, then there is a formula ip{x) such 
that 3\x. 4>{x) A 'ip{x) is provable, where both (p and ip are term-free. 

How to prove these properties for a given theory? There is a variety of methods appli- 
cable to constructive theories. Cut-elimination, proof normalization, realizability, Kripke 
models. . . . Normalization proofs, based on the Curry-Howard isomorphism principle, have 
the advantage of providing an explicit method of witness and program extraction from 
proofs. They also provide information about the behaviour of the proof system. 

We are interested in intuitionistic set theory IZF. It is essentially what remains of ZF 
set theory after excluded middle is carefully taken away. An important decision to make on 
the way is whether to use Replacement or Collection axiom schema. We will call the version 
with Collection IZFc and the version with Replacement IZF/j. In the literature, IZF usually 
denotes IZFc. Both theories extended with excluded middle are equivalent to ZF |Fri73j . 



1998 ACM Subject Classification: F.4.1. 

Key words and phrases: Intuitionistic set theory, Curry-Howard isomorphism, normalization, realizability. 

Partly supported by NSF grants DUE-0333526 and 0430161. 



Ir-cl LOGICAL METHODS © Wojciech Moczydtow ski 

ItSJ IN COMPUTER SCIENCE D0I:1 0.21 68/LMCS-4 (2:1) 2008 (S) ICreatlve CommonsI 



They are not equivalent |FS85j . While the proof-theoretic power of IZFc is equivalent to 
that of ZF, the exact power of IZF^ is unknown. Arguably IZFc is less constructive, as 
Collection, similarly to Choice, asserts the existence of a set without defining it. 

Bot h ve rsions have been investigated thoroughly. Results up to 1985 are presented in 



[BeeSSl |S85] . Later research was concentrated on weaker subsystems [AROll ILub02j . A 
predicative constructive set theory CZF has attracted particular interest. [AROlj describes 
the set-theoretic apparatus available in CZF and provides further references. 

We axiomatize IZF/j, along with its intensional version IZF]^, using set terms. We define 
a typed lambda calculus XZ corresponding to proofs in IZF^. We also define realizability 
for IZF]^, in the spirit of |McC84j . and use it to show that XZ weakly normalizes. Strong 
normalization of XZ does not hold; moreover, we show that in non- well- founded IZF even 
weak normalization fails. 

With normalization in hand, the properties NEP, DP and TEP easily follow. To show 
these properties for full, extensional IZF/j, we define an inner model T of IZFij, consisting 
of what we call transitively L-stable sets. We show that a formula is true in IZF/j iff its 
relativization to T is true in IZF^. Therefore IZF/j is interpretable in IZF^. This allows 
us to use the properties proven for IZF^. In IZF/j, SEP easily follows from TEP. 

The importance of these properties in the context of computer science stems from the 
fact that they make it possible to extract programs from constructive proofs. For example, 
suppose IZF/j h Vn € N3m € N. (j){n,m). From this proof a program can be extracted 
— take a natural number n, construct a proof IZF/j h n G N. Combine the proofs to get 
IZF/J h 3m € N. (j)(n,m) and apply NEP to get a number m such that IZFr h (p{n,fn). A 
detailed account of program extraction from IZF^j proofs can be found in |CM06j . 

There are many provers with the program extraction capability. However, they are 
usually based on variants of type theory, which is a foundational basis very different from 
set theory. This makes the process of formalizing program specification more difficult, as an 
unfamiliar new language and logic have to be learned from scratch. |LP99j strongly argues 
against using type theory for the specification purposes, instead promoting standard set 
theory. 

IZF/J provides therefore the best of both worlds. It is a set theory, with familiar language 
and axioms. At the same time, programs can be extracted from proofs. Our XZ calculus 
and the normalization theorem make the task of constructing the prover based on IZF/j not 
very difficult. 

This paper is mostly self-contained. We assume some familiarity with set theory, proof 
theory and programming languages terminology, found for example in [Kun80l ISU061 IPie02j . 
The paper is organized as follows. We start by presenting in details intuitionistic first-order 
logic in section [2j In section [3] we define IZF/j along with its intensional version IZF^. In 
section m we define a lambda calculus XZ corresponding to IZF^ proofs. Realizability for 
IZF]^ is defined in section \5\ We use it to prove normalization of XZ in section [6l where 
we also show that non-well-founded IZF does not normalize. We prove the properties in 
section [7l and show how to derive them for full, extensional IZF/j in section [8l Comparison 
with other results can be found in section [H 

2. Intuitionistic first-order logic 

Due to the syntactic character of our results, we present the intuitionistic first-order 
logic (IFOL) in details. We use a natural deduction style of proof rules. The terms will 



be denoted by letters t, s, u. The variables will be denoted by letters a, 6, c, d, e, /. The 
notation a stands for a finite sequence, treated as a set when convenient. The i-th element 
of a sequence is denoted by a^. We consider a-equivalent formulas equal. The capture- 
avoiding substitution is defined as usual; the result of substituting s for a in a term t is 
denoted by t[a := s\. We write t[ai, . . ., o„ := si, . . ., s„] to denote the result of substituting 
simultaneously si, . . ., s„ for oi, . . ., a.„. Contexts, denoted by T, are sets of formulas. The 
set of free variables of a formula (f), denoted by FV{<j)), are defined as usual. The free 
variables of a context T, denoted by FV{r), are the free variables of all formulas in T. The 
notation (j){a) means that all free variables of (p are among a. The proof rules are as follows: 

rh_L Fhc/)^^ The/) r,(?:>h V; 

Fh^AV' Fh(^ Fh^ 

Fh</. FhV Fh0V^ F,(?!)hi9 F,'0Ki? 



Fh(/.V^ Fh0V?/; Fhi? 

FhV^ « ^ ^^(r) F h 0[a := t] 

Fh3a.0 TVi, « ^ ^^(^) ^ ^^> 

Negation in IFOL is an abbreviation: -i0 = (/> — s- _L. So is the symbol ^^•: (f) ^^ ip = 
((/> ^ ^ A ■0 — * </*)• Note that IFOL does not contain equality. The excluded middle rule 
added to IFOL makes it equivalent to the classical first-order logic without equality. We 
adopt the "dot" -convention — a formula Va. cj) should be parsed as Va. (0). In other wordqj, 
the dot represents a left parenthesis whose scope extends as far to the right as possible. 

Lemma 2.1. For any formula cj), (l)[a := t\[h := u[a := t]] = (j)[b := u\[a := t], for b ^ FV{t). 

Proof. Straightforward structural induction on (j). □ 

3. IZFr 

Intuitionistic set theory IZFr is a first-order theory, equivalent to ZF when extended 
with excluded middle. It is a definitional extension of term-free versions presented in 
|Myh73[ IBee85l IFS85J . The signature consists of one binary relational symbol € and func- 
tion symbols used in the axioms below. The set of all IZF/j terms will be denoted by Tms. 
The notation t = u is an abbreviation for \/z. z G t ^^ z (^ u. Function symbols and S{t) 
are abbreviations for and IJI^'I*!^}}- Bounded quantifiers and the quantifier 3!a (there 
exists exactly one a) are also abbreviations defined in the standard way. The axioms are as 
follows: 

• (EMPTY) Vc. c G ^ _L 

• (PAIR) Va, bye. c£ {a,b} ^ c = ay c = b 

• (INF) Vc. c G u; ^ c = V 36 G w. c = S{b) 

• (S^P</,(a,/)) ^f^ '^^^- ^ ^ ^<t>(aj)(^^ /) ^ c G a A 4>{c, /) 

• (UNION) yayc. c G U « ^ 36 G a. c G 6 

• (POWER) yayc. c G P{a) ^yb.bec^bGa 



Borrowed from |SU06] . 



• (REPL^(^^^^^-j) 'if,a\Jc. c £ %^,b/)(a,/) ^ (Vx e a3\y. </>(x,y,/)) A {3x G a. (pix,c,f)) 
. (IND^(,,/)) V/. (Va. (V6 G a. </.(&, /)) ^ 0(a,/)) ^ Va. </>(«,/) 

• (^0(a,/)) ^/' a,h. a = h^ (j){a, /) ^ (/>(6, /) 

Axioms SEP^, REPL^, IND^ and L^ are axiom schemas, and so are the corresponding 
function symbols — there is one function symbol for each formula (p. Formally, we define 
formulas and terms by mutual induction: 

cP::=tet\ct>A4>\... t ::= a \ {t,t} \ S^^^j^{t,i) \ R^^^^^j^{t,t) \. . . 

Our presentation is not minimal; for example, the empty set axiom can be derived as 
usual using Separation and Infinity. However, we aim for a natural axiomatization of IZF/j, 
not necessarily the most optimal one. 

The Leibniz axiom schema L^ is usually not present among the axioms of set theories, 
as it is assumed that logic contains equality and the axiom is a proof rule. We include L^ 
among the axioms of IZF/j, because there is no obvious way to add it to intuitionistic logic 
in the Curry-Howard isomorphism context, as its computational content is unclear. Our 
axiom of Replacement is equivalent to the usual formulations, see |Moc06b] for details. 

IZF]^ will denote IZF/j without the Leibniz axiom schema L,^. IZF^ is an intensional 
version of IZFij — even though extensional equality is used in the axioms, it does not 
behave as the "real" equality. 

The terms S^{a,f) and R(j,{a, f) can be displayed as {x G a | (j){x,f)} and {z \ (Vx G 
Qj.v. G)ix V / )) A 3x G a. chix z f]\. 

The axioms (EMPTY), (PAIR), (INF), (SEP^), (UNION), (POWER) and (REPL^) aU 
assert the existence of certain classes and have the same form: \/aS/c. c G iyi(fl) <-^ </'a(c, a), 
where Ia is a function symbol and (J)a a corresponding formula for the axiom A. For example, 
for (POWER), t POWER is P and (f) power is V6. 6 G c — > 6 G a. We reserve the notation Ia 
and (l)A to denote the term and the corresponding formula for the axiom A. 

Lemma 3.1. Every term T = tyi(t(a)) of IZF/j is definable. In other words, there is a 
term-free formula <j){x,a) such that IZFj^h Va. (f){T,a) A 3\x. (j){x,a). 

Proof. Straightforward induction on the size of T. We first show the claim for lo, then for 
the rest of the terms. For lo, the defining formulao is: 

(j){x) =cGx^->c = 0V3yGx. c= S{y) 

Indeed, (p{uj) holds. Suppose (j){z) for some z, we need to show that z = cv. To do this, we 
prove by G-induction Vc. c G z <-> c G a;. Take any c and suppose c G z. Then c = or 
there is y G z such that c = S{y). In the former case c G w, in the latter y G c, so by the 
induction hypothesis y (z lo and hence c a lo. The other direction is symmetric. 

Consider now arbitrary T = t^(t(a)). Let u denote t{a), so T = tA{u). By the induction 

> 

hypothesis there are formulas (j){x, a) defining u. Consider the formula: 

(h(x,a) 



= 3x. A (f){x, a) A Vc. c G X <-> (pAic, x) 



We will now show that <^(x, a) defines T. Take any a and take x = u. We have /\ 4>{u, a) 
and by the axiom (A) corresponding to Ia, we get Vc. c G tA{u) <-> (^a(c, "u). Furthermore, 



Strictly speaking, it is not term-free, but eliminating terms used in (f) is straightforward. 



suppose (j){z, a) for some z. Then there are b such that /\ 0(5, a) and Vc. c € z ^^ (/)yi(c, 6). 



-> 



Since (j){x,a) define u, b = u and thus also Vc. c G 2: <-> (/)yi(c, u). To show that 2: = T, it 
suffices to show that Va. a (^ T ^^ a £ z, which follows easily. 

It remains to consider the situation when (j)^ contains some terms, which can happen if 
A is the Separation or Replacement axiom. However, by the induction hypothesis all these 
terms are definable as well, so there is also a term-free formula 4>' equivalent to (j). □ 

Corollary 3.2. For any closed term t there is a term-free formula (j){x) such that IZF^h 

{3\x. (p{x)) A(j){t). 



4. The XZ calculus 

We now present a lambda calculus XZ for IZF^, based on the Curry-Howard isomor- 
phism principle. The first-order part of XZ is essentially API from [SU06J . The lambda 
terms in the calculus correspond to proofs in IZF^. The correspondence is captured formally 
by Lemma 14.101 

The lambda terms in XZ will be denoted by letters M, N,0,P. There are two kinds of 
lambda abstractions, one used for proofs of implications, the other for proofs of universal 
quantifications. We use separate sets of variables for these abstractions and call them proof 
and first-order variables, respectively. We use letters x, y, z for proof variables and o, b, c for 
first-order variables. Letters t, s, u are reserved for IZFpt terms. The types in the system 
are IZFr formulas. The lambda terms are generated by an abstract grammar. The first 
group of terms is standard and used for IFOL proofs: 

M ::= x\ M N \ Xa. M \ Xx : (p. M \ inl(M) | inr(M) | fst(M) | snd(M) \[t,M]\ M t 

{M,N) I case(M,x : (/). N,x : ip. O) \ magic(M) | let [a,x : (j)] := M in N 

The rest of the terms correspond to the axioms of IZF^: 



emptyProp(t, M) 

pairProp(t, ui,U2,M) 

unionProp(t, u, M) 

powerProp(i, u, M) 
infProp(i, M) 



emptyRep(i, M) 
pairRep(t, ui,U2,M) 
unionRep(i, u, M) 

power Rep(t, u, M) 
infRep(t, M) 



The ind term corresponds to the €-induction axiom schema (IND , , a ) , and Prop and Rep 
terms correspond to the respective axioms. The exact nature of the correspondence will 
become clear in the next section. Briefly and informally, the Rep terms are representatives 
of the fact that a t is a member of a term t{u) and the Prop terms provide the defining 
property of i € t{u). To avoid listing all of them every time, we adopt a convention of using 
axRep and axProp terms to tacitly mean all Rep and Prop terms, for ax being one of empty, 
pair, union, sep, power, inf and repl. With this convention in mind, we can summarize the 
definition of the Prop and Rep terms as: 

axProp(i, -u, M) | axRep(t, n, M), 



where the number of terms in the sequence u depends on the particular axiom. 

The free variables of a lambda term are defined as usual, taking into account that 
variables in A, case and let terms bind respective terms. The relation of a-equivalence is 
defined taking this information into account. We consider a-equivalent terms equal. We 
denote the set of all free variables of a term M by FV{M) and the set of the free first-order 
variables of a term by FVf{M). The free (first-order) variables of a context T are denoted 
by FV{T) (FVf{T)) and defined in a natural way. The notation M[x := N] stands for a 
term M with N substituted for x. The set of all \Z lambda terms will be denoted by A. 

4.1. Reduction rules. The deterministic reduction relation -^ arises by lazily evaluating 
the following base reduction rules: 

(Ax : (p. M) N -^ M[x := N] {Xa. M) t -^ M[a := t] 

fst((M, N)) -^ M snd((A/, A^)) -^ N 

case{ml{M), x:(j).N,x:'tlj.O)^N[x := M] aise{mT{M), x :(j). N, x -.^j. O) ^ 0[x := M] 

let [a, X : (j)]:= [t, M] in iV ^ N[a := t] [x := M] 

axProp(t, n, axRep(t, u, M)) -^ M 

ind,, A(t, M) -^ Xc. M c {Xb.Xx : b £ c. ind,, gJt, Af) b) c,b,x new 

The laziness is specified formally by the following evaluation contexts: 

[o] ::= fst([o]) I snd([o]) | case([o],a; : (j).M,x : ip.N) j axProp(t,n, [o]) 
let [a, y : (j)] := [o] in A^ | [o] M | magic([o]) 

In other words, the (small-step) reduction relation arises from the base reduction rules and 
the following inductive definition: 

M -^M' M ^ M' 



fst(M) -^ fst(Af' ) 

M - 


snd(A/) -^ snd(A/') 




case(Af, x : (j). N,x : Tp. 0) - 


-^ case{M',x : (j). N,x : t/;. O) 
M ^ M' 




axProp(t, u, M) -^ axProp(t, n, AT') let [a, y : (f)] := M in N ^ let [a, y : 4>] : 

M ^M' M ^M' 


= M' in N 



M N ^ M' N magic(Ar) ^ magic(Af' ) 

Definition 4.1. We write Af J, if the reduction sequence starting from M terminates. 
We write Af J, u if we want to state that v is the term at which this reduction sequence 
terminates. We write M — >* M' if M reduces to M' in some number of steps. 

We distinguish certain XZ terms as values. The values are generated by the following 
abstract grammar, where M is an arbitrary term. Clearly, there are no reductions possible 
from values. 

V ::= Xa. M \ Xx : 4). M \ \n\{M) \ inr(Ar) | [i, AT] | (Ar,A^) | axRep(t,ii, AT) 



4.2. Types. The type system for \Z is constructed according to the principle of Curry- 
Howard isomorphism for IZF]^. Types are IZF/j formulas. Contexts, denoted by F, are 
finite sets of pairs (xi,0j), written as x\ : cpi, . . .,Xn : (j^n- The domain of a context F is 
the set {x \ {x^tj)) G F} and it is denoted by dom(F). The range of a context F is the 
corresponding first-order logic context that contains only formulas and is denoted by rg{T). 
The first group of rules corresponds to the rules of IFOL: 

F,x:^|-M:'0 ^, ,^-. T h M : (j) ^ ijj T h N : (j) 

X f dom(F) 



r,x:(j)hx:(l) ThXx-.cp.M-.cp^^p^ '^ T h M N : ip 

FhM:(/) FhJV:^ FhM: cpAip Th M -.cpAjj 

Th {M,N) :(j)Aip F h fst(M) : cj) F h snd(M) : ij; 

FhM : (/> FhM: V; 

F h inl(M) : V ^ F h inr(M) : </> V V 

FhM:0V-0 F,x:(^hAr:^ F,3;:-^hO:^ 

F h case(M, x : (j). N,x : tp. O) : t3 

Th M -.(j) a ^.r ,^. FhM: Va. (^ 

ai FVf{T) 



FhAa. M:Va. (/> ^ -^ ^ ^ F h M i : (/)[o := t] 
F h M : (/)[a := t] F h M : 3a. F, a; : h AT : V' 



F h [t, M] : 3a. (/) F h let [a, x : </>] := M in A^ : V 

FhM: ± 



a^FV^(F,V^) 



F h magic(M) : </) 
The rest of the rules correspond to IZF^ axioms: 

FhM: ^^(t, -") F h M : i e tA{u) 



F h axRep(t, u,M) -.t e tA{u) F h axProp(t, -a, M) : ^^(i, it) 

F h M : Vc. (V6. 6 G c ^ </>(&, i)) ^ (^(c,f) 

Fhind^(^^^-)(t;M):Va. </.(a,t) 

4.3. Properties of \Z. We now prove a standard sequence of lemmas for \Z. 

Lemma 4.2 (Canonical Forms). Suppose M is a value and h M : ■!?. Then: 

• d = te tA{u) iff M = axRep(i, u, N) and h iV : (j)A{t, u). 

• t? = 0V^iff(M = inl(iV) and h iV : 0) or (M = inr(iV) and h iV : V). 

• t? = 0A^ iff M= (iV,0), hiV: 0and hO :V. 

• i} = (f) ^ ^ ]S. M = \x : 4>. N and X : (jy'r N : ij). 

• t? = Va. (/> iff M = Aa. A^ and h iV : (/>. 

• t? = 3a. (^ iff M = [t, iV] and h iV : 4>[a := t]. 

• t? = _L never happens. 

Proof. Immediate from the typing rules and the definition of values. □ 

Lemma 4.3 (Weakening). If F h M : and FV{'iIj) U {x} are fresh with respect to the 
proof tree T \- M : (f>, then T,x : ip h M : (p. 

Proof. Straightforward induction on F h M : (/>. The freshness assumption is used in the 
treatment of the proof rules having side-conditions, such as introduction of the universal 
quantifier. D 



There are two substitution lemmas, one for the prepositional part, the other for the 
first-order part of the calculus. Since the rules and terms of XZ corresponding to IZF^j 
axioms do not interact with substitutions in a significant way, the proofs are routine. 

Lemma 4.4. If T,x : (p^ M : ^p andT h N : (j), then T h M[x := N] : i). 

Proof. By induction on T, x : (/> h M : -0. We show two interesting cases. 

• ij: = ipi ^f ip2, M = \y : ipi. O. Using a-conversion we can choose y to be new, so that 
y ^ -Fy(r, x) U FV{N). The proof tree must end with: 

r, a: : (/), y : -01 h O : -02 
T,x : (j)\- Xy : ipi- O : ipi ^>- ip2 

By the induction hypothesis, T,y : ipi \- 0[x := N] : -02, so F h Ay : ^i. 0[x := N] : ipi ^>- 
11)2- By the choice of y, T h (Ay : -01. 0)[x := A^] : -01 ^ -02. 
» ip = -02, M = let [a, y : -0i] := Mi in M2. The proof tree ends with: 

T,x : (j)\- Ml : 3a. -0i T, x : 0, y : -0i h M2 : -02 
r, j; : h let [a, y : ipi] := Mi in M2 : -02 

Choose a and y to be fresh. By the induction hypothesis, T h Mi[x := N] : 3a. -0i and 

T,y : Vi ^ M2[x := N] : -02. Thus T h let [a,y : -0i] := Mi[a; := N] in M2[x := N] : -02. 
By a and y fresh, T h (let [a, y : -0i] := Mi in M2)[a; := N] : -02 which is what we want. □ 

Lemma 4.5. If T h M : 0, then r[a := t] h M[a := t] : 0[a := t]. 

Proof. By induction on F h Af : 0. Most of the rules do not interact with first-order 
substitution, so we show the proof just for the four of them which do. 

• = V6. 01, M = Xb. Ml. The proof tree ends with: 

FhA6. Ml :V6. 0i "^^^^^-^^ 

Without loss of generality we can assume that b ^ FV{t) U {a}. By the induction 
hypothesis, T[a := t] h Mi[a := t] : 0i[a := t]. Therefore F[a := t] h A5. Mi[a := t] : 
V6. 0i[a := t] and by the choice of b, T[a := t] h {Xb. Mi)[a := t] h (V6. 0i)[a := t]. 

• (p = (j)i[b := u], Ad = Ml u for some term u. The proof tree ends with: 

F K Ml : Vb. 01 
FhMi u: 0i[6:=u] 

Choosing 6 to be fresh, by the induction hypothesis we get T[a := t] h Mi [a := t] : 

V6. (01 [a := t]), so T[a := t] h Mi [a := t] u[a := t] : 0i[a := t][6 := u[a := t]]. By Lemma 
Oand b ^ FV{t), we get F[o := t] h (Mi u)[a := t] : 0i[6 := u][a := t]. 

F h M : 0[6 := u] 

F h [u, M] : 36. 
Choosing 6 to be fresh, by the induction hypothesis we get T[a := t] h M[a := t] : 
0[6 := u\[a := t]. By Lemma O and b ^ FV{t), we get T[a := t] h M[a := t] : 0[a : = 
t][b := n[a := t]]. Therefore T[a := t] h [u[a := t],M[a := t]] : 36. 0[a := t], so also 
F[a := t] h ([u,M])[a := i] : (36. <p)[a := t]. 



FhM-.Bb.ct) r,a;:(/>hiV:V^ h d mi (r i^ 
rhlet[5,x:0]:=MinAr:^ ^ ^ ^^^^^' ^^ 

We choose b so that 6 ^ -Fy(i). By the induction hypothesis T[a := i] h M[a := t] : 
3b. (/>[a := t] and r[o := t],x : (j)[a := t] h A^[a := i] : ^l^[a := t]. By our choice of b and 
b ^ FVF(T,^p), we also have b ^ FVpiTla := t],^p[a := t]). Thus also r[a := t] h let [b,x : 
(j)[a := t]] := M[a := t] in N[a := t] : V'[a := t]. D 

With the lemmas at hand, Progress and Preservation easily follow: 

Lemma 4.6 (Subject Reduction, Preservation). If F h M : (/> and M —>■ N, then T \- N : cf). 

Proof. By induction on the definition of M — > A^. We show several cases. Case M ^ A^ of: 
• {\x : (pi. Ml) M2 -^ Mi[x := M2]. The term M has the form M = {\x : 0i. Mi) M2 and 
the proof proof tree T \- M : (j) ends with: 

r, X : 01 h Ml : (/> 
rh Ax : 01. Ml : (/>i ->0 F h M2 : 0i 



F h (Ax : 01. Ml) M2 : 

By Lemma 1131 F h Mi[x := M2] : 0i. 

let [a,x : 0i] := [i. Mi] in M2 -^ M2[a := t][x := Mi]. The term M has the form 

M = let [a, X : 0i] := [t, Mi] in M2 and the proof tree F h M : ends with: 

FhMi : 0i[a := t] 

r\- [t,Mi] : 3a. 0i F, x : 0i h M2 : 



F h let [a, X : 0i] := [t, Mi] in M2 : 

Choose a to be fresh. Thus Mi [a := t] = Mi and T[a := t] = F. By the side-condition 
of the last typing rule, a ^ FV{cj)), so 0[a := t] = 0. By Lemma [451 we get F[a := t],x : 
01 [o := t] h M2[a := t] : 0[a := t], so also F,x : 0i[a := t] h M2[a := t] : 0. By Lemma 
4il we get F h M2[a := t][x := Mi] : 0. 

axProp(t, u, axRep(t, u, Ml)) -^ Mi. In this case the term M is has the form M = 
axProp(t, u, axRep(i, u, Mi)) and the proof tree ends with: 

FhMi:0^(t,n) 

F h axRep(t, u. Mi)) : t € tA{u) 



F h axProp(i, n, axRep(i, -u, Mi)) : 0a (i, "u) 

The claim follows immediately. 

ind ,, ^(t, Ml) -^ Ac. Mi c (A6.Ax : b (z c. ind ,, ?^(t, Afi) 6). The term M has the form 

M = ind , (.^ rt (t, Ml) and the proof tree ends with: 

F h Ml : Vc. (V6. 6 G c ^ ^(6, t)) ^ ^(c, t) 

Fhind^(^^^-)(t;Mi):Va. V'(a,t) 

We choose b, c, x to be fresh. By applying a-conversion we can also obtain a proof tree 
of F h Ml : Ve. (Vd. d € e ^ V'(t^,i)) ^ V'(e,i), where {d,e} n {5, c} = 0. Then by 
Weakening we get F,x : 6 G c h Mi : Ve. (Vd. d G e — > il){d,i)) -^ ilj{e,t), so also 



T,x : b ^ c\- ind ,, A{t,Mi) : Va. 'il){a,i). Let the proof tree T be defined as: 



>(",/) 



r,x 


■.bee 


■^'^'^^iaj)(^^^^) 


: Vo 


. V(o,i) 


r,: 


X :b £ 


C^i^d^(a,/)(*"''^l) 


5: 


V'(^i) 


rh Ax: 


bee. 


i^d^(a,/)(*"''^l)^- 


be 


c^V'(?',i) 



r h A6.Ax : 6 G c. ind^^^ ^-^(t^ Mi) b:\lb.b ec^ ipib, i) 
Then the following proof tree shows the claim: 

r h Ml : Vc. (V6. bee^ ip{b, t)) -^ V(c, i) 
ThMi c: (V6. 6Gc^^(6,t))^^(c,t) T 
r h Ml c (A6.Ax -.bee. ind^^.^ ^-^(t" Mi) 6) : ip{e, t) 

r h Ac. Ml c (A6.Ax : 6 G c. ind^^^ j'j(f,Mi) b) : Vc. '0(c,t) 



D 



Lemma 4.7 (Progress). If h Af : </), then either M is a value or there is A^ such that 

M -^ N. 

Proof. Straightforward induction on the length of M. We show the cases for the terms 
corresponding to IZF/j axioms. 

• If M = axRep(i, u, N), then M is a value. 

• If M = axProp(t, u, O), then we have the following proof tree: 

\-0 -.te tA{u) 
h axProp(t, u, O) : 0yi(t, u) 

By the induction hypothesis, either O is a value or there is Oi such that O — > Oi . In the 
former case, by Canonical Forms, O = axRep(t, -u, P) and M ^> P. In the latter, by the 
evaluation rules axProp(t, u, O) — > axProp(t, u, Oi). 

• The ind terms always reduce. □ 

Corollary 4.8. If \- M : (p and M I v, then \- v : (j) and u is a value. 

Corollary 4.9. If H M : _L, then M does not normalize. 

Proof. If M normalized, then by Corollary 14.81 we would have a value of type _L, which by 
Canonical Forms is impossible. □ 

Finally, we state the formal correspondence between XZ and IZF^: 

Lemma 4.10 (Curry-Howard Isomorphism). If T h O : (p then lZF~^+rg(T) K (p, where 
rg(T) = {(p I (x, (p) e r}. If IZF^+r h (p, then there exists a term M such that T \- M : (p, 
where F = {(x,^, (p) \ cp e F}. 

Proof. Both parts follow by easy induction on the proof. The first part is straightforward, 
to get the claim simply erase the lambda terms from the proof tree. For the second part, 
we show terms and trees corresponding to IZF^ axioms: 

• Let (p be one of the IZF^ axioms apart from G-Induction. Then (p = Va. Vc. c e iyi(o) *-^ 
(Pa{c, a) for the axiom (A). Recall that (pi ^^ (p2 is an abbreviation for {(pi — > (^2) A {(p2 — > 



(f)i). Let M = Ax : c € tAiS). axProp(c, a, x) and let N = Xx : (l)A{c,a). axRep(c, a, x). 
Let S be the following proof tree: 

r, X : c G tAia) h x : c £ tA{a) 

r, X : c € tA{a) h axProp(c, a, x) : </>a(c, a) 



r h M : c G tA(a) ^ (/)a(c, a) 
And let T be the following proof tree: 

r, X : (f)A{c.,a)\- X : 4>a{ci a) 



r, X : (I)a{c, a) \- axRep(c, a,x) : c € tA{a) 



T\- N : (j)A{c,a) -ycGtA{a) 
Then the following proof tree shows the claim: 

S T 



T h {M, N) :ce tA{a) ^ 0a(c, a) 



r h XaXc.{M, N) : Va. Vc. c G iyi(a) <-> (/"aIc, a) 

• Let (j) be the G-induction axiom. Let M = XfXx : (Va.(V6. 6 G a ^ ip{b, f)) —>■ 
'ip(a,f)). ind,/ a(/,x). The following proof tree shows the claim: 

r, X : Va.(V6. 6 G a -^ V(^ /)) ^ V'(a, / ) ^ a^ : Va.(V6. 6 G a ^ ^(6, /)) ^ ^{a, f) 

r,x : Va.(V6. 6 G a ^ H^, f)) ^ ^'(a,/) ^ ind^(^^^-t|(/,x) : Va. V'(a,/) 

r h M : V/.(Va.(V6. 6 G a ^ ^(6, /)) ^ ^(a, /)) ^ Va. V(a, /) 

D 

Note that all proofs in this section are constructive and quite weak from the proof- 
theoretic point of view — Heyting Arithmetic should be sufficient to formalize the argu- 
ments. However, by the Curry-Howard isomorphism and Corollary 14.91 normalization of 
XZ entails consistency of IZF^, which easily interprets Heyting Arithmetic. Therefore a 
normalization proof must utilize much stronger means, which we introduce in the following 
section. 

5. Realizability for IZF^ 

In this section we work in ZF. It is likely that IZFc would be sufficient, as excluded 
middle is not used explicitly; however, arguments using ordinals and ranks would need to 
be done very carefully, as the notion of an ordinal in constructive set theories is problematic 
[Pow75[[T^^ . 



Our definition of realizability is inspired by McCarty's presentation in his Ph. D. thesis 
|McC84j . However, while he used it mainly to prove independence results for IZFc and to 
carry out recursive mathematics, we use it to prove normalization of XZ. 

The realizability relation Ih relates realizers with IZF/j formulas over an extended sig- 
nature. The realizers are terms of XZ; the signature is extended with class-many constants 
we call A-names. We proceed with the formal definitions. 



Definition 5.1. The set of all values in XZ is denoted by A, 



val- 



Definition 5.2. A set ^ is a A-name iff ^ is a set of pairs {v, B) such that v G A^^; and B 
is a A-name. 



In other words, A-names are sets hereditarily labelled by XZ values. 
Definition 5.3. The class of A-names is denoted by V . 

Formally, V is generated by the following transfinite inductive definition on ordinals: 

V^ = U P{A,al X V>") V^" = U ^" 

/3<o aeORD 

The X-rank of a A-name A, denoted by Xrk{A), is the smallest a such that A G V^. 

Definition 5.4. For any A G V^, A+ denotes {(M, B) \ M i v A {v,B) e A}. 

Definition 5.5. An environment is a finite partial function from first-order variables to 
V\ 

We will use the letter p to denote environments. 

The environments are used to store elements of V . In order to smoothen the presenta- 
tion and make the account closer to the standard accounts of realizability for constructive 
set theories |McC841 IRatOSl IRatOGj , we make it possible for the formulas to mention con- 
stants from V as well. Strictly speaking this is unnecessary and we could give the account 
of the realizability relation and the normalization theorem using only environments; the 
cost to pay would be some loss of clarity. 

Formally, we extend the first-order language of IZFr in the following way: 

Definition 5.6. A (class-sized) first-order language L arises by enriching the IZFr signature 
with constants for all A-names. 

From now on until the end of this section, the letters A, B, C range over A-names. 

Definition 5.7. For any formula (j) of L, any term t of L and p defined on all free variables 
of (j) and t, we define by metalevel mutual induction a realizability relation M \\-p (p in an 
environment p and a meaning of a term |t]p in an environment p: 

(1) Hp = pia) 

(2) Mp ^A 

(3) {ujjp = uj' , where lo' is defined by the means of inductive definition: lo' is the smallest 
set such that: 

• (infRep(0, N),A) e uj' if N i inl(O), O\^pA = and A G V^. 

• If (M,5) G a;'+, then (infRep(0, iV), A) G w' if iV j inr(iVi), Ni j [t,0], O j {M,P), 
P\hpA = SiB),AeV^. 

Note that if (M, B) G uj'~^, then there is a finite ordinal a such that B G V^. 

(4) ltA{u)}p = {(axRep(0,0,A^),i?) G A,,; x V^^ \ N \^p cbA{B,Mp)} 

(5) M\^p± = ± 

(6) M\^ptes = M ivA {v, Itjp) G [sip 

(7) M Ihp A ^ = M i (Ml, M2) A Ml Ihp <t> A M2 Ihp V 

(8) M Ihp V ^ = (M i inl(Mi) A Mi Ihp (/.) V (M j inr(Mi) A Mi Ihp V) 

(9) M Ihp (/> ^ V = (M i Xx. Ml) A ViV. (N Ihp (/>) ^ (Mi[x := N] Ihp t/') 

(10) M Ihp Va. (/> = M i Aa. iV A V^ G F^, Vt G Tms. N[a := t] Ihp (/.[a := ^] 

(11) M Ihp 3a. (/) = M i [t, iV] A 3A G V^. N Ihp (/.[a := A] 

Note that M Ihp ^ G B iff (M, ^) G S+. 



The definition of the ordinal 7 in item U] depends on tA{u). This ordinal is close to the 

rank of the set denoted by tyi(u) and is chosen so that Lemma 15.181 can be proven. Let 

> 

a = Ar/c([n]p). Case tA{u) of: 

• — 7 = 0. 

• {ui,U2} — 7 = max{ai,a2)- 

• P{u) — 7 = a + 1. 

• U u — 7 = a. 

• R,, , a{u,u). This case is more complicated. The names are chosen to match the corre- 
sponding clause in the proof of Lemma [5.181 Let G = {{Ni, {N2i,B)) e A x |ti]+ | 3d G 
y\ tl;{Ni,N2i,B,d)}, where i;{Ni,N2i, B,d) = {Ni j Xa. A^n) A(iVii j Ax. O) A3s e 

Tms. {0[x:=N2i] i [s, Oi]) A (d Ihp ,^(5, d, M^) A Ve. 0(5, e, f^) ^ e = d). Then for 
all 5 G G there is D and (A^i, (iVai, 5)) such that g = {Ni, (iVsi, S)) and ^(A^i, iVsi, 5, D). 
Use Collection to collect these D's in one set H, so that for all 5 € G there is D & H such 
that the property holds. Apply Replacement to H to get the set of A-ranks of sets in H. 
Then /3 = |J if is an ordinal and for any D ^ H, Xrk{D) < /3. Therefore for all ^ E G 
there is L> G V^ and {Ni,{N2i,B)) such that g = {Ni,{N2i,B)) and ij{Ni,N2i, B,D) 
holds. Set 7 = /3 + l. 

Lemma 5.8. The definition of realizability is well-founded. 

Proof. We define a measure function m which takes a clause in the definition and returns a 
triple of natural numbers: 

• m[M \\-p (f)) = ("number of constants a; in (/>", "number of function symbols in (^", 
"structural complexity of 0" ) 

• ?Ti([t]p) = ("number of constants uj in i", "number of function symbols in i", 0) 

With lexicographical order in N^, it is trivial to check that the measure of the definiendum 
is always greater than the measure of the definiens — the number of terms does not increase 
in the clauses for realizability and the formula complexity goes down, in the clause for lo, u> 
disappears and in the rest of clauses for terms, the topmost Ia disappears. Since N^ with 
lexicographical order is well-founded, the claim follows. □ 

Since the definition is well-founded, (metalevel) inductive proofs on the definition of 
realizability are justified, such as the proof of the following lemma: 



Lemma 5.9. [t[a := s]}p = [i[a := |s]p]lp = Mp[a:=W,] and M Ih^ 0[a := s] iff M Ih 



p 



[a := IsU iff M lh^[,^=H 



Proof. Straightforward induction on the definition of realizability. We show representative 

cases. Case t of: 

. A - then [t[a := s]jp = [t[a := [slp]]p = [tlp[a:=Wp] = A. 

• a — then [i[a := s]jp = {sjp, |t[a := ls}p]jp = Hsjpjp = {sjp and also [t|^[„:=[^]^] = [s]p. 

• tAiu). Then [i[a := s]jp = {(axRep(0,0, Af),yl) | N \\-p (j)AiA,u[a := s])}. By the induc- 
tion hypothesis, this set is equal to {(axRep(0, 0, A^),^) | N \\-p (pA{A,u[a := |s]p])} = 
lt[a := ls}p]jp and also to {(axRep(0, 0, A^),^) | N ll-p[a:=[s]p] 4>a{A,u)} and thus to 

Case 6 of: 



• t e u. We have M \\-p {t £ u)[a := s] iff M Ihp t[a := s] € u[a := s] iS M I v 
and {v, |t[a := s]]p) E [M[a := s]]p. By tlie induction hypothesis, this is equivalent 
to {v,lt[a := lsjp]jp) € |u[a := [slp]lp and to (w, Itlp[a:=Wp]) e Mp[a:=[slp], so also to 
M \\-p t[a := [s]p] G ii[a := [s]p] and to Af ll-p[„_pj ^ t £ u. This shows the claim. 

• V6. (/>. We have M Ihp (V6. (/>)[a := s] iff (choosing^ft to be fresh) M Ihp V6. 4>[a := s] iff 
M i A6. iV and \/A G y^,VM G Tins. N[b := u] Ihp 0[a := s][6 := A]. By the choice of b, 
this is equivalent to \/A G V"^, Vn G Tms. N[b := u] \\-p (j)[b := A][a := s]. By the induction 
hypothesis, this is equivalent to \/A G V^,yu G Tms. N[b := u] Ihp 0[6 := A][o := |s]p] 
and to V^ G V ,yu G Tms. N[b := u] H-pr^j—r^i i (j)[b := A], from which we easily recover 
the claim. □ 

Lemma 5.10. If (M Ihp 4>) then M j. 

Proof. Straightforward from the definition of realizability. For = _L, the claim trivially 
follows and in every other case the definition starts with a clause assuring normalization of 

M. n 

Lemma 5.11. If M ^* M' then M' Ihp cj) iff M Ihp cp. 

Proof. Whether M \\-p (p or not depends only on the value of M, which does not change 
with reduction or expansion. □ 

Lemma 5.12. If p agrees with p' on FV {(/)), then M Ihp (/> iff M Ihp/ (j). In particular, if 
a ^ FV{(p), then M Ihp (j) iff M \^p[a:=A] </>• 

Proof. Straightforward induction on the definition of realizability — the environment is 
used only to provide the meaning of the free variables of terms in a formula. □ 

Lemma 5.13. If M Ihp (/> ^ V and N Ihp (j), then M N I'r ip. 

Proof Suppose M Ihp (/> ^ ip. Then M j (Ax. O) and for all P Ih cp, 0[x := P] Ih ip. Now, 
M N ^* (Ax. O) N ^ 0[x := N]. Lemma [STII] gives us the claim. D 

We now prove a sequence of lemmas which culminates in Lemma 15.181 the keystone in 
the normalization proof. 

Lemma 5.14. If A £ V^ then there is /? < a such that for all B, if M Ihp B £ A, then 
B£V^. Also, if M \^pB = A, then BeV^. 



Proof Take A £ Vj^. Then there is /3 < a such that ^ G P{A^al x Vg^). Take any B. If 
M Ihp 5 G yl, then M j w and {v, B) £ A, so B £ V^. 

For the second part, suppose M \\-p A = B. This means that M Ihp Vc. c £ A ^^ c £ B, 
so M i Ac. iV and for all i G Tms, for all C, A^[c := i] Ihp C G ^ ^ C G B, so 
Vt, C. iV[c := t] i (Afi, Ms), Mi Ihp C G A ^ C G S and Ma Ihp C G S ^ C G A. Thus, for 
all t, C, M2 I Ax. M3 and for all M4 Ihp C G -B, M3[x := M4] Ihp C G A. Take any element 
{v,C) £ B. Then w Ihp C G S, so M3[x := v] Ihp C G yl. Thus by the first part, C £ V^. 
Therefore B C A^^i x V^, so B £ P{Kai x V^) = F^+i, so 5 G V^. D 

The following two lemmas will be used for the treatment of lo in Lemma 15.181 
Lemma 5.15. If A, S G V^, then [{A,S}]p G V^^^. 

Proof. Take any {M,C) £ [{A,S}]p. By the definition of [{A,S}]p, any such C is in V^, 
soIRSJlpG^vV- □ 



Lemma 5.16. If ^ G V^ and (M, C) G [U^lp, then C G V^. 

^ ^'Xrk{A) 



Proof. By the definition of |U A\p, if (M, C) G {[] A\p then (M, C) G V3;tfcMV so C G K.^. D 



Lemma 5.17. If ^ G V^ and M Ihp 5 = S{A), then S G Fj'+g. 

Proof. M hp B = S{A) means M Ihp 5 = U{^, {^,^}}- By Lemma EH it suf- 
fices to show that [|J{A, {^4, A}}]p G V^+z- ^PPly^g Lemma [5.151 twice, we find that 
l{A,{A,A}}}p G V;\2. By Lemma EUl if {M,C) G |U{A{A^}}Ip, then C G ^,^2, 
which shows the claim. □ 

The following lemma states the crucial property of the realizability relation. 



Lemma 5.18. {M,A) G 1*^(^)1^ iff M = axRep(0, 0, iV) and N Ihp (pAiA, [njp). 

Proof. For all terms apart from w, the left-to-right part is immediate. For the right-to-left 

part, suppose A^ Ihp (t)A{A, [n]p) and M = axRep(0, 0, N). To show that (M, A) G ItA(n)]p, 

we need to show that A G V^. The proof proceeds by case analysis on tA{u). Let a = 

> 

\rk{\u\p). Case tA{u) of: 

• 0. If A^ \\-p _L then anything holds, in particular A G 0. 

• {ui, U2}. Suppose that N \hp A= [uijp \J A = [u2]p. Then either A^ j inl(Afi) A A^i Ihp 
A = ["Uilp or N i inr(A^i) A A''i Ihp A = \u2\p. By Lemma [5.141 in the former case 
A G V^^, in the latter A G V^^, so A G V^^^^^^^^^y 

• P{u). Suppose that A^ Ihp Vc. c e A ^ c (^ |u]p. Then A^ J, Ac. A^i and for ah t,C, 
Ni[c := t] i Ax. N2 and VO. {O \h C e A) ^ N2[x := O] Ihp C G Hp. Take any 
{v,B) G A. Then v\hp B e A. So A^2[a; := v] Ihp S G [n]p. By Lemma [STHl any such B 
is in V^, so Ae V^^^. 

• [ju. Suppose A^ Ihp 3c. c G {ujp A A G c. Then A^ | [t^O] and there is C such that 
O I (Oi,02), Oi Ihp C G [n]p and O2 Ihp ^ G C. Two applications of Lemma [STTil 
provide the claim. 

• '^,^(a,/)(^'^)- Suppose A^ Ihp ^ G Hp A (/)(A, H^). Then A^ j (A^i, Af2) and A^i Ihp A G 

|ti]p. Lemma [5. 141 shows the claim. 

> > 

• ^<l>{a,b,f)'<^^^)- Suppose A^ Ihp (Vx G HpBIy. (/>(x,y, [m]p))a3x G Hp. 0(x,yl, Hp)- Then 

N i {Ni,N2) and A^a 1^ 3x G Hp- 0(a:,AH!). Thus N2 [ [t,Af2o], iV20 i (A^2i,Ar22) 

> 

and there is B such that A'^21 ll~p -S G Hp ^'■^'^ ^22 ll~p </'(-S)^7 Hp)- We also have 
A^i Ihp Mx G Hp3!2/- (k{x,y, Hp)> so A^i [ Xa. Nn and for ah C,t, Nu[a := t] j Ax. O 
and for ah P Ihp C G Hp. 0[x := P] Ihp 3]y. (?!)(C, y, H^). So taking C = S, t = a and 
P = N21, there is D such that A^i i Xa. Nu, Nn j Ax. O, 0[x := Af2i] i [s,Oi] and 
Oi Ihp (/.(5,L»,H^) AVe. (l){B,e,lufp) ^e = D. Therefore (A^i, (Af2i, S)) G G from the 
definition of 7, so there is D G V^^ such that A^i | Aa. A''!!, A''!! J, Ax.O, 0[x := N21] i 

[s,Oi] and Oi Ihp (/.(5,D,H^) A Ve. (/>(S,e,H^) ^ e = ^- So d i (0ii,0i2) and 
O12 Ihp Ve. i?!>(-B, e, Hp) ^ e = D. Therefore, O12 i Aa. Q, Q i Ax. Qi (since we can take 
again t = a and Q[a := o] = Q) and Qi[x := N22] Ihp yl = D. By Lemma [5. 14^ A G V^^. 

Now we tackle to. For the left-to-right direction, obviously M = infRep(0, A^). For the 
claim about A^, we proceed by induction on the definition of to': 

• The base case. Then A^ [ inl(O) and O Ihp ^ = 0, so A^ Ihp ^ = V 3y G lo' . A = S{y). 



• The inductive step. Then N j inr(7Vi), iVi i[t,0],0 i {M' , P), (M', B) G w'+, P\^pA = 
S{B). Therefore, there is C (namely B) such that M' Ihp C e lo' and P\hp A = S{C). 
Thus [t, O] Ihp 3y. 2/ e w' A ^ = 5(y), so iV Ih^ ^ = V 3y G w'. A = S(y). 
For the right-to-left direction, suppose A^ Ihp ^ = V (3y. y € uj' A A = S{y)). Then either 
N I inl(A''i) or iV I inr(A^i). In the former case, A''i \\-p ^ = 0, so by Lemma O^ A E V^. 
In the latter, A'^i Ihp 3y. y ^ uj' A A = S{y). Thus A'^i | [t,0] and there is B such that 
Ol^p B euj' AA = S{B). So O I {M',P), (M',S) G cu'+ and P Ihp A = 5(5). This is 
exactly the inductive step of the definition of lo', so it remains to show that A G V^. Since 
{M',B) G u>'^, there is a finite ordinal a such that B G F^^. By Lemma [5. 171 A G V^^^+s, so 
also A G Vj' and we get the claim. □ 



6. Normalization 

In this section, environments p are finite partial functions mapping proof variables to 
terms of XZ and first-order variables to pairs (t. A), where t G Tms and A G V . Therefore, 
p : VarUFVar — > AU [Tms x V ), where Var denotes the set of proof variables and FVar 
denotes the set of first-order variables. For any p, pT denotes the restriction of p to the 
mapping from first-order variables into terms: pT = Xa ^ FVar. 7ri(p(a)). Note that any 
p can be used as a realizability environment by considering only the mapping of first-order 
variables to V^. 

We first define a reduction-preserving forgetting map M ^ M on the terms of XZ. 
The map changes all first-order arguments of axRep and axProp terms to 0. It is induced 
inductively in a natural way by the cases: 



axRep(t, u, M) = axRep(0, 0, M) axProp(t, u, M) = axProp(0, 0, M) 



So for example, Xa. M = Xa. M,[t,M] = [t,M],{M,N) = {M,N) and so on. The 
reduction-preserving character of the map is captured by the following lemmas: 

Lemma 6.1. If M ^ iV then M ^N. 

Proof. Straightforward. The first-order terms mapped to do not play a role in reductions. 

D 
Lemma 6.2. If M normalizes, then so does M. 

Proof. By Lemma 16.11 an infinite reduction sequence starting from M would induce an 
infinite reduction sequence starting from M. □ 

Definition 6.3. For a sequent T \- (j), p \= T \- M : cj) means that p is defined on FV{T, M, (p) 

and for all {xi,(j)i) S P, p{xi) Ihp (/){. 

Note that if p |= P h M : 0, then for any term t in P, (j), |t]p is defined and so is the 
realizability relation M \\-p (p. 

Definition 6.4. For a sequent PhM:</), ifp|=PhM:(/) then M[p] is M[xi := 
p{xi),...,Xn := p{xn),ai := priai), . . .,ak := priak)], where FV{M) = {xi,...,Xn} and 
FVf{M) = {ai, . . ., afc}. Similarly, if p is defined on the free variables ai, . . .,ak of t, then 
t[p] denotes t[ai := pr(ai), . . ., a^ := priak)]. 

Lemma 6.5. If p is not defined on x, then M[/j][x := A^] = M[p[x := N]]. Also if p is not 
defined on a, then M[a := t] = M[p[a := (t. A)]]. 

Proof. Straightforward structural induction on M. □ 



Theorem 6.6 (Normalization). IfT\- M -.-d then for all p ^T \- M : -d, M[p] ll-p i?. 

Proof. For any XZ term M, M' in the proof denotes M[p]. We proceed by metalevel 
induction on T h M : ??. Case T h M : i? of: 



Then M' = p{x) and the claim follows. 

Th M ■.(j)^ip Th N : 



Th M N :^p 
By the induction hypothesis, M' \\-p cp ^ ip and N' \\-p (p. Lemma 15.131 gives the claim. 

r, a; : (/) h M : V' 



r h Ax : (/>. M : (/> ^ V 
Take any p \=T and fresh x. We need to show that for any N \\-p (p, AI'[x := N] Ihp ip. 
Take any such N. Let p' = p[x := N]. Then p' ^ r,a; : h M : -0, so by the 
induction hypothesis M[/9'] Ihp/ ip. Since x is fresh, p is undefined on x, so by Lemma 16.51 
M[p'] = M[p][x := N] = M'[x := N]. Therefore M'[x := N] \\-p> V- Since p' agrees with 
p on logic variables, by Lemma 15.121 we get M'[x := N] \\-p ip. 

LhM: _L 



r h magic (M) : (p 
By the induction hypothesis, M' \\-p _L, which is not the case, so anything holds, in 
particular magic(M') Ihp (p. 

T\- M ■.(pA^p 

r h fst(M) : (p 
By the induction hypothesis, M' \\-p (p Aip, so M' [ (Mi,M2) and Mi Ihp (p. Therefore 
fst(M) -^* fst((Mi,M2)) -^ Ml. Lemma ETU gives the claim. 

FhM: (pA'ip 



r h snd(M) : ip 
Symmetric to the previous case. 

rhM:0 rhTViV' 

r h (Af , Af ) : A V' 
All we need to show is M' \\-p (p and N' \\-p ip, which we get from the induction hypothesis. 

Th M -.6 



T h inl(A/) ■.<py^p 
We need to show that M' \\-p (p, which we get from the induction hypothesis. 

LhM: V 



r h inr(M) : (py ^ 
Symmetric to the previous case. 



r h case(M, x : cj). N,x : tp. O) : ^ 
By the induction hypothesis, M' \\-p (py i{j. Take x fresh, so that p is undefined on x. 
Therefore either M' j inl(Mi) and Mi Ihp cp or M' i inr(M2) and M2 ll-p ip. We only 
treat the former case, the latter is symmetric. Since p[x := Mi] \\-p T,x : (j) \- N : •&, 
by the induction hypothesis we get N[p[x := Mi]] Ihp •&. We also have case(Af, rr : 
(j).N,x: ^. O) -^* case(inl(Mi),a; : (p.Ji ,x : ijj.O) ^ iV[x := Mi]. By Lemma [631 
N[x := Ml] = N[p[x := Mi]], so Lemma [5.111 gives us the claim. 

Th M -.6 



r h Aa. M : Va. ^ 
By the induction hypothesis, for all p' ^ L h M : i;^, M[p'] Ihp/ (j). We need to show that 
for all p 1= r h Aa. M : Va. (p, (Aa. M)[p] Ihp Va. i?i). Take any such p. Using a-conversion 
we can assure that p is not defined on a, so it suffices to show that Aa. M[p] Ihp Va. (p, 
which is equivalent to VA, t. M[p][a := t] Ihp (p[a := A]. Take any A and t. By Lemma 
15.91 it suffices to show that M[/9][a := t] \\~p[a:=A] 4>- Since p[a := (t, A)] \=T \- M : (p,hy 
the induction hypothesis we get M[p[a := {t,A)]] Ihpj^j—^j (p. By Lemma [631 M[/)] [a := 
t] = M[p[a := (t, A)]], which shows the claim. 

r h M : Va. (/) 



Th M t:(p[a := t] 

By the induction hypothesis, M' Ihp Va. (;^, so M' J, Aa. A^ and \/A, u. N[a := u] Ihp (p[a := 
A]. In particular N[a := t[p]] Ihp (/)[a := |t]p]. By Lemma [5Jl iV[a := t[p]] Ihp (/)[a := t]. 
Since Ml[p] = M' {t[p]) ^* (Aa. iV) t[/)] -^ N[a := t[p]], Lemma EH] gives us the claim. 

r h M : (P[a := t] 

r h [t, M] : 3a. (p 
By the induction hypothesis, M' Ihp (^[a := t], so by Lemma [5.9| M' Ihp (p[a := [t]p]. 
Thus, there is a A-name A, namely |t]p, such that M' Ihp (p[a := A]. Thus, [t, M][/9] = 
[t[p], M'] Ihp 3a. 0, which is what we want. 

rhM:3a. r,x:^hN:i; 

T^let[a,x:^]:=MinN:^ " ^ ^^(^' ^^ 
Let p \= T \- let [a,x : cp] := M in N : ip. Choose x,a so that p is undefined on these 
variables. We need to show (let [a,x : cp] := M in N)[p] = let [a,x : cp] := M' in N[p] Ihp 
tp. By the induction hypothesis, M' Ihp 3a. (p, so M' J, [t. Mi] and for some A, Mi Ihp 
(p[a := A]. By the induction hypothesis again, for any p' \= T,x : (p \- N : ^p we have 
N[p'] Ihp/ V- Take p' = p[x := Mi, a := {t, A)]. Since a ^ FV{ip), by Lemma E12] 
iV[p'] Ihp V- Now, let [a,3; : <p] := M' in N[p] -^* let [a,x : cp] := [i, Mi] in 7V[/j] -^ 
N[p][a := t][a; := Mi] = A^[/o']. Lemma 15.111 gives us the claim. 

Th M :cpA(,t,u) 



T h axRep(i, u,M) -.te tA{u) 



By the induction hypothesis, M' \\-p (j)A{t,u). By Lemma 15.91 this is equivalent to M' \\-p 

Mlt}p,¥fp)- By LemmaEm (axRep(0, 0, M'), Wp) G ltA{u)}p, so axRep (t,u,M) Ih^ 
t G tA{u). 

r h M : t G tA{u) 



r h axProp(t, u, M) : (/)yi(t, u) 
By the induction hypothesis, M' Ihp t G tA{u). This means that M' [ v and (t^, |tlp) G 



|t^(u)]p. By LemmaEH u = axRep(0, 0, iV) and A^ Ihp (/)a(Mp, Hp)- % LemmaEI 
-^ ll~p <^yl(^,'S). Moreover, 



axProp(t, u, M) [p] = axProp(0, 0, M') -^* axProp(0, 0, axRep(0, 0, N)) ^ N . 
Lemma 15.111 gives us the claim. 

r h M : Vc. (V6. bec^ (^{b,^) -^ ^c,^ 
r h ind^(^ j-^ {t, M) : Va. (/)(a, t) 

Since ind,,^ ?At,M') reduces to Ac. M' c (A6. Ax. ind,, ^At,M') b), by Lemma [5.111 
it suffices to show that for ah C,t, M' t (A6. Ax. ind^^^ ^-^ (f, M') b) Ihp (/)(C,t). We 
proceed by induction on A-rank of C. Take any C, t. By the induction hypothesis, 
M' Ihp Vc. (V6. 6 G c ^ </'(^t)) -^ </'(c,t), so M' j Ac. N and iV[c := t] Ihp (V6. 6 G 
C -^ (p{b,i)) -^ (t>iC,i). By Lemma EIIl M' t Ihp (V6. b e C ^ ^{b,t)) -^ (A(C,t), so 
by Lemma[5T3l it suffices to show that A6. Ax. ^^d,, A{t,M') b Ihp V6. b G C —)■ 4>{b,i). 

Take any B,u, O \\-p B G C, we need to show that ind,. A{t,M')[x := O] u Ihp cl){B,t). 
As X ^ FV{M'), it suffices to show that ind,, rJt,M') u Ihp (/){B,i), which, by Lemma 
[STTl is equivalent to M' u (Xb. Ax. ind^^.^ ^-^ (f, M') b) Ihp 4>{B,i). As O Ihp S G C, the 
A-rank of B is less than the A-rank of C and we get the claim by the induction hypothesis. 

D 

Corollary 6.7 (Normalization). If h M : </>, then M [. 

Proof. Take p mapping all free proof variables of M to themselves and all free first-order 
variables a of M to (a,0). Then p \=\- M : (j). By Theorem 16.61 ^'^[p] normalizes. By the 
definition of p, M[p\ = M . By Lemma W^ M normalizes. D 

Recall that in non-deterministic reduction systems, strong normalization means that 
for any term M, all reduction paths starting from M terminate, while weak normaliza- 
tion means that for any term M there is a terminating reduction path starting from M. 
Our reduction system for \Z can be viewed as selecting a call-by-need reduction strategy 
in a non-deterministic reduction system, where a reduction can be applied anywhere in- 
side of the term. In this view, our results show only weak normalization of the calculus. 
Strong normalization then, surprisingly, does not hold. One reason, trivial, are ind terms. 
However, even without them, the system would not strongly normalize, as the following 
counterexample, invented by M. Crabbe and adapted to our framework shows: 

Theorem 6.8 (Crabbe's counterexample). There is a formula tj) and a term M such that 
\- M : (j) o-iT-d M does not strongly normalize. 



Proof. Let t = {x £ \ xGx^_L}. Consider the terms: 

N = Xy.tet. snd(sepProp(i, 0, y)) y M = Xx : t e 0. N (sepRep(t, 0, {x, N))) 

We first show that these terms can be typed. Let T denote the following proof tree, showing 
that \- N :t et ^ ±: 



y:t£thy:t£{xeO\xex^±} 
y -.t et\- sepProp(t, 0, y)) : t € A t G t ^ _L 
y -.t et\- snd(sepProp(t, 0,y)):t€t^-L y: tet\-y: tet 
y : t € t\- snd(sepProp(f , 0, y)) y : _L 
\- Xy : t £ t. snd(sepProp(t, 0, y)) y : t £t ^ 1. 

By Weakening, we can also obtain a tree Ti showing that x:iGOhA^:tGt^_L. The 
following proof tree shows that h M : t G ^ _L: 

Ti 

a;:t£Ohx:^€0 x : t € h JV : t € t ^ -L 
Ti a; : t GOh (x,A^) : t e OAt e t ^ ± 



x:tGOhiV:tet^± x:tGOh sepRep(t, 0, (x, N)) : t e t 

x-.teOhN (sepRep(i, 0, (x, N))) : ± 

h Xx:teO. N (sepRep(t, 0, (x, N))) : i G ^ ± 

We now exhibit an infinite reduction sequence starting from M: 

M = Xx:teO. N (sepRep(t, 0, (x, N))) 

Ax : t G 0. {Xy -.t et. snd(sepProp(t, 0,y)) y) (sepRep(t, 0, {x,N))) 

Ax : t E 0. snd(sepProp(t, 0, (sepRep(t, 0, (x, N))))) (sepRep(t, 0, (x, N))) 

Ax : t G 0. snd((x, N)) (sepRep(t, 0, (x, A^))) 

Xx:t£0. N (sepRep(t, 0, (x, N))) = M 



D 



Note that the counterexample also shows that the weak normalization of XZ is really 
weak — although \- M : (p entails weak normalization of M, T \- M : (f) does not, as there 
is a context T such that T \- M : (j) and M does not normalize. 

Moreover, a slight (from a semantic point of view) modification to IZFjl^, namely making 
it non-well-founded, results in a system which is not even weakly normalizing. A very small 
fragment is sufficient for this effect to arise. Let T be an intuitionistic set theory consisting 
of 2 axioms: 

• (C) Va. a & c -1^ a = c 

• (D) Va. oGd^-i-aGcAaGo— i-aGa. 

The constant c denotes a non-well-founded set. The existence of d can be derived from 
the Separation axiom: d={aGc\aGa—>a&a}. The lambda calculus corresponding to 
T is defined just as for IZF^. 

Lemma 6.9. Th de c 

Proof. It suffices to show that d = c. Take any e (z d, then e (z c. On the other hand, 
suppose e G c. Since obviously eGe— >eGe, we also get e £ d. 

Proof. 



Theorem 6.10. There is a formula (p and a term M such that \-t M : cj) and M does not 
weakly normalize. 

Proof. Let N be the lambda term corresponding to the proof of Lemma [6.91 along with the 
proof tree T/v- Take (f) = d^d^fd^d. Consider the terms: 

= \x:d(^d. snd(dProp(d, c,x)) x M = (dRep(d, c, (iV, O))). 

Again, we first show that these terms are typable. Let S be the following proof tree, showing 
that \- O : d e d^ d e d: 



X : d £ d\- X : d G d 



X : d E: d\- dProp(fi, c, x)) : d€^cAdE:d—>-d£d 



X : d £ d\- snd(dProp((i, c, x)) : d (z d ^ d £ d x: d(zd\-x: d&d 
X : d G d\- snd(dProp((i, c, x)) x : d G d 
\- Xx : d £ d. snd(dProp((i, c, x)) x: d£d^>-dGd 
Then the following proof tree shows that M is typable: 

Tn S 



h N -.dec hO:ded^ded 
S h {N,0) -.dGcAded^ d€d 



^0:ded^ded h dRep(d, c, (iV, O)) : d G d 

hO (dRep(d, c,(iV,0))) : d £ d 
Finally, we exhibit the only reduction sequence starting from M: 

M = {dRep{d,c,{N,0))) 

{Xx : de d. snd(dProp((i, c, x)) x) {dRep{d, c, (iV, O))) 

snd(dProp(d, c, dRep(d, c, {N, O)))) (dRep(d, c, {N, O))) 

snd((7V,0)) (dRep(d, c,(iV,0))) 

O {dRep{d,c,{N,0))) =M 



n 



These counterexamples to normalization properties can also be presented in a cleaner 
way in the framework of higher-order rewriting |Moc06a] . 

7. Applications 

The normalization theorem immediately provides several results. 

Corollary 7.1 (Disjunction Property). If IZF^h 4>Vip, then IZF^h (p or IZF^h V- 

Proof. Suppose IZF^h (j)y ip. By the Curry-Howard isomorphism, there is a XZ term M 
such that \- M : (p \/ Tp . By Corollary 14.81 M [ v and h v : cpy ip. By Canonical Forms, 
either v = inl(A^) and \- N : (p or v = inr(A^) and \- N : tp. By applying the other direction 
of the Curry-Howard isomorphism we get the claim. □ 



Corollary 7.2 (Term Existence Property). If IZF^h 3x. (p{x), then there is a closed term 
t such that IZF^h <j){t). 

Proof. By the Curry-Howard isomorphism, there is a AZ-term M such that h M : 3x. (p. 
By normalizing M and applying Canonical Forms, we get [t, N] such that h N : <j){t) and 
thus by the Curry-Howard isomorphism IZF^^h 4>{t). If t is not closed already, then let 
a = FV{t). We have IZF-h Va. 4>{t), so also (/)(t[a := 0]). D 

To show NEP, we first define an extraction function F which takes a proof l- M : t G u; 
and returns a natural number n. F works as follows: 

It normalizes M to natRep(t, N). By Canonical Forms, l-A^:t = 0V3yGu;. t = S{y). 
F then normalizes A^ to either inl(O) or inr(O). In the former case, F returns 0. In the latter, 
h O : 3y. y G u; A i = S{y). Normalizing O it gets [ti,P], where h P : ti ^ oj M = S{ti). 
Normalizing P it obtains Q such that h Q : ti G w. Then F returns F{\- Q : ti G w) + 1. 

To show that F terminates for all its arguments, consider the sequence t,ti,t2, ■ ■ ■ of 
terms obtained throughout the execution of F. We have IZF^h t & uj, IZF^h t = S{ti), 
IZF^h ti = 5(^2) and so on. The length of the sequence is therefore exactly the natural 
number denoted by t. 

Corollary 7.3 (Numerical Existence Property). If IZF^h 3x G uj. (j){x), then there is a 
natural number n and term t such that IZF^h (j){t) At = n. 

Proof. As before, use the Curry-Howard isomorphism to get a value [t, M] such that h 
[t, M] : 3x. X G u; A (j){x). Thus h M : t £ to A (p{t), so M i (Mi, M2) and h Mi : t G u. Take 
n = F{\- Mi-.teuj). By patching together the proofs IZF^h t = S{ti), IZF^h h = S{t2), 
. . . ,IZF^I- tn = obtained throughout the execution of F, we get IZFj^h t = n. D 

This version of NEP differs from the one usually found in the literature, where in the 
end (j){n) is derived. However, IZF]^ does not have the Leibniz axiom for the final step. 
We conjecture that it is the only version which holds in non-extensional set theories. More 
specifically, we conjecture that there is a term t and formula (j) such that IZF^^h (j){t) At = n 
and IZF^ does not prove (j){n). 

8. EXTENSIONAL IZFr 

We will show that we can extend our results to full IZF^. We work in IZF^^. 

Lemma 8.1. Equality is an equivalence relation. 

Proof. Straightforward. □ 

Definition 8.2. A set C is L-stable, if A e C and A = B implies B £C. 

Thus, L-stable sets are well-behaved as far as the atomic version of the Leibniz axiom 
(Va, 6, c. a G c A a = 6 ^ 6 G c) is concerned. 

Definition 8.3. A set C is transitively L-stable (we say that TLS(C) holds) if it is L-stable 
and every element of C is transitively L-stable. 

This definition is formalized in a standard way, using transitive closure, available in 
IZF]j, as shown e.g. in [AROlj . We denote the class of transitively L-stable sets by T. The 
statement V = T stands for \/A. TLS{A). The class T in IZF^ plays a similar role to the 
class of well-founded sets in ZF without Foundation. 



Lemma 8.4. IZFr^ V = T. 

Proof. Straightforward G-induction. □ 

The restriction of a formula (/> to T, denoted by (p , is defined as usual, taking into 
account the following translation of terms: 

The notation T \= (/) means that (f)^ holds. 

Lemma 8.5. T is transitive. 

Proof. Take any j4 in T and suppose a a A. Then by the definition of T, a G T as well. □ 

Lemma 8.6. If ^ = C and ^ G T, then C G T. 

Proof. This is not obvious, as there is no Leibniz axiom in the logic. Suppose a ^ C and 
a = b. Since A = C, a (z A. Since A is L-stable, 6 G ^, so also b & C. Thus C is L-stable. 

If a G C, then a (^ A. Since ^ G T and T is transitive, a & T. Thus C is transitively 
L-stable. D 

Lemma 8.7. Equality is absolute for T. 

Proof. Take any a,b ^ T. Suppose (a = b)'^ . This means that for all c G T, c G a <-> c G 6. 
As T is transitive, this is equivalent to for all c, c G a <-> c G 6, so also a = 6 in the real 
world. On the other hand, if Vc. c G a ^^ c G 6, then obviously also \/c (zT. c (^ a <-^ c a b.\Z\ 

The following three lemmas are essentially used to show that T is closed under the 
axioms of IZF/?. 

Lemma 8.8. G T. If A G T, then S{A) G T. 

Proof. That G T is obvious. Take any A (^ T. To show that A U {A} G T, suppose 
a e AU {A} and a = b. If a G ^, then by ^ G T we have b e A and o G T. If a G {A}, then 
a = ^, so also b = A and by Lemma 18.61 a G T. In both cases 6 G A U {^4} which shows the 
claim. □ 

The following two lemmas are proved together by mutual induction on the definition 
of terms and formulas. 

Lemma 8.9. For any term t{a, /), Va, b, f e T. {a = b ^ t^{a, f) = t^(6, /)) Ai^(a, /) G T. 

Proof. Case i(a, /) of: 

• a, /i,0. The claim is trivial. 

• LO. It suffices to show that w G T. We show by G-induction on a that Va. a G co) ^ a G 
T A V6. a = b ^f b ^ uj. Take any a ^ uo. Then either a = or there is y G w such that 
a = S{y). Take any b such that a = b. In the former case 6 = 0, so 6 G u; and by Lemmas 
18.61 and [8.81 we get a gT. In the latter case, take this y. We have b = S{y), so 6 G a;. By 
a = S{y), y G a, so by the induction hypothesis y G T, thus by Lemma 18.81 we also get 
oGT. 



• {ti{a, f),t2{a, f)}. By the induction hypothesis, tj{a,f) = ti{b,f) and t2{a,f) = 
t^{h,f). In order to show that {ti(a, /), ^2(0, /)}"^ = {ti(6, /), ^2(^5 Z)}"^, take any 
A € {tf (a, f),t^ia, /)}. Then either A = tj{a, f) or A = t^{a, /), so either A = tj{b, /) 
OT A = t^{b,f), in both cases A € {ti{b, f),t2{b, f)}^ . The other direction is symmetric 

and we get {h{aJ~')Ma,f)V = {ti{bJ)M{bJ)V. 

Furthermore, by the induction hypothesis, t^(a, f) (zT and i2{a, /) € T. Thus in both 
cases by Lemma WM A ^T. Suppose A = B. Then either B = tf{a, /), or B = t^(a, /). 
In both cases B G {ti{a, f),t2{a, f)}'^. Thus we have shown that {ti(a, /), ^2(0, /)}^ ^ 2^- 

• U *(«' /)• Take any A e {{J t{a, f)Y = [j f{a, /). By the induction hypothesis, t^{a, f) = 
t^ibj). Thus there is 5 G t^{a,f) such that A £ B. Thus also B € t^{b,f), so 
A G IJ^"^(^'/)- The other direction is symmetric and we get (U^(^'/))"^ = (U^C^i/))"^- 

Furthermore, by the induction hypothesis, t^{a, f) G T, so by transitivity of T, B £ T 
and also A £ T. Finally, suppose that C = A. Then since B (^T,C € B, so C a 
IJ t {a, /). This shows the claim. 

• P{t{a,f)). By the induction hypothesis, f{aj) = t^{bj). Suppose A G {P{t{aJ)))^. 
Then A C i^(a, /) and AeT. Thus also A C i^(6, /), so A G {P{t{b, f))f. The other 
direction is symmetric and we get {P{t{a, /))) = {P{t{b, /))) . 

Suppose A = B. Since A G T, by Lemma 18.61 B & T. It is easy to see that also 
B C t^{a, /), so iJG P(t^(a, /)) DT = {P{t{a, fW ■ ^ 

. S^^^j^{t{a,f),t{^)). Suppose A G (5^(^^^-.)(t(a, /), tK/)))^. Then A G t^(a,/) A 

^ ' > 

(j)^{A,t^{a, f)). By the induction hypothesis, t^{a,f) G T and t^{a,f) G T. Thus, by 

transitivity of T, ^ G T. Moreover, by the induction hypothesis, t^{a,f) = t^{b,f) and 

> > > 

f{aj) = t^{b,f). Therefore A G t^{b,f). By LemmaEIOlwe get (j)'^ {A,f {bj)). This 

> 

shows that A G {3,,^^ r\{t{b, f),t{b, f)))^ . The other direction is symmetric and we get 

{S^^^j^{t{a,f),^W = {S^^a,f)(tib,f),tibjW. 

Suppose A = B. By LemmaEH B eT. Since t'^{a, f) eT, B € t^(a, /). By Lemma 

EIOl 4>^{B,t^{a,f)) holds. Thus {S^^^j-^{t{a, f),t{a, f))f G T. 

> 

• Rj^f^fj f)(o, /)• Suppose A G {R±,i^i, ^{^{a, f),u{a, f)))'-^ and A = B. This means that: 

> 

— Vx G t^{a,f)3\y G T. (f)'^{x,y,u'^{a, f)). Take any 2; G t^{b,f). By the induction 

^ ^■ 

hypothesis, x G t^{a,f). Thus there is y G T such that cfF {x,y,u^ {a, f)) and Vz G 

> 

T. (/) {x, z, u {a, /)) —^z = y. We will now show that there is exactly one y' (zT such 

1? 1? 1? 

that (/> (x, y', li (&, /)). Take y' = y. By the induction hypothesis, u {a, /) = u (6, /). 

^ ^■ 

By Lemma fS.lOl 4>^{x, y' , u^{b, /)). Take any z' (zT and assume (f^{x, z', tt"^(6, /)). By 

> 

Lemma fS.lOl (^(x, z' , u {a, /)), so z' = y'. Thus we have shown that Vx G t {b, f)3ly G 
T.t'^ix,y,u'^{b,f)). 



- 3x G t^iaj). A G T A(l)^{x,A,u^{a,f)). Take this x. By Lemma ESI B eT,so by 

> > 

Lemma 18.101 (p {x,B,u {a,f)). Moreover, by Lemma 18.101 ip {x,A,u {b,f)). Thus 
^ ^ 

there is x G t^(&, /) such that 4>^{x, A, vF{b, /)). 

> 

Altogether, this shows that A G {R,,^ A{t{b, f),u{b, f)))^ . The other direction is sym- 

-, :? ^ :? 

metric and we get {R^^^^^j^itia, f),u{a, f)))'^ = [R^i^^^^j^{t{b, f),u{b, f))Y . We have 

> 

also shown that {Rj^i^ ^ r)(*('^) Z)) ^(O) Z)))"^ S T, so the proof is complete. D 

Lemma 8.10. T [= L^^^ ^y In other words, Va, b,feT.a = b^ <^^(a, /) -^ (tF{b, /). 

Proof. We show representative cases. Case 4> of: 

• t{a, f) G s{a, f) for some terms t, s. We need to show that if A, B,F G T, A = B 
and t'^(A,F) G s'^{A,F), then t^{B,F) G s'^{B,F). By Lemma El i^(^,F) = 
i^(S,F),s'^(^,F) = s'^{B,F) and s^(yl,F) G T. Therefore f{B,F) G s'^(A,F), which 
entails f{B,F) G s'^{B,F). 

• MaJ) -^ MaJ)- Take any ^,S,F G T, assume A = S, (t>f{A,F) -^ ct>2{A,F) and 
(f)i{B, F). By the induction hypothesis for (/>i, (^J^(^, -F). Using the assumption we obtain 
(j)2{A,F). By the induction hypothesis for (j)2 we get (/)2^(i3,F). 

• 3c. 0i(a, /,c). Take any A,B,F G T, assume A = i? and 3c G T. </)|^(A, F, c). Then 
there is a set C £ T such that </>i"(A, F, C) holds. By the induction hypothesis, merging 
/with c, we get (j)J{B,F,C), so also 3c. (l)J{B,F,c). D 

Theorem 8.11. T \=IZFii. In other words, T is an inner model of IZFr. 

Proof. We proceed axiom by axiom. 

• (EMPTY) Straightforward. 

• (PAIR) Take any A,B £ T. That {A, B} satisfies the (PAIR) axiom in T follows by 
absoluteness of equality. 

• (UNION) Take any AeT. Suppose C e\JA. Then there is some B such that C e B e A. 
Since A is transitive, B ^T. On the other hand, if there is i? G T such that C € B (^ A, 
then obviously C e\JA. 

• (INF) Suppose C G io. Then either C = or there is y G a; such that C = S{y). We need 
to show that either C = or there is y £ T such that y G lu'^ and C = S'^{y). If C = 0, 
the claim is trivial. Otherwise, suppose there is y G a; such that C = S{y). Then y £ C, 
so by transitivity of T, y G T. We also know that cu = to and S (y) = S{y). The claim 
follows. 

On the other hand, suppose C = or there is y G T such that y G u; and C = S'^{y). 
In both cases, C is trivially in to. 

• (POWER) Take any A,C £ T. Suppose C G P'^iA). Then ^D £ C. D £ A, so also 
for all D G T, Z? G C — > -D G yl. On the other hand, suppose that for all D £ T, 
D £ C ^ D £ A. To show that C £ -P^(A), we need to show that C £ T and for ah 
D £ C, D £ A. We already have the former. To show the latter, note that by transitivity 
of T, any Z? G C is also in T, so by the assumption in A. This shows the claim. 



• (SEP,, 7-.) Take any A,F£T and suppose C G {x £ A \ (/)(x,F)}'^. Then C G A and 

(l)^{C,F), which is what we need. On the other hand, ii C £ A and (f^{C,F), then also 
C e{xeA\ 0^(x, B)] = {x(^A\ (P{x, B)Y. 

• (REPL^^^^^-<j) Take any A,F,C eT such that C e {z |(Vx G ^3!y. (t){x,y,F)) A 3x G 

^. (/i(x, z,F)}'^. This is equivalent to (Vx G A3!y. y e T A (j)^{x,y,F)) A3x e A. C e 
T A (j)'^{x,C,F). Since A £ T and T is closed under equality, it is also equivalent to 
{\/x e T. X e A ^ 3y. y e T A (^^{x, y,F) A\/z. z G T ^ z = y ^ 4>'^{x, z, /)) A 3x G 
T. xGAaCgTA 4> {x, C, F), which is what we want. 

• (IND^^^ ^-p Take F G T and suppose that Vx G T.[My eT.y ex^ (l)^{y, F)) -^ (f^{x, F). 

We have to show that Va. a ^ T ^ (f^{0', F). We proceed by G-induction on a. Take any 
A ^ T. By the assumption instantiated with A, (Vy £ T. y ^ A —> cf)^ {y, F)) —^ (p'^iA, F). 
We have to show that (t>^{A, F). It suffices to show that \/y £ T. y € A —f (t>^{y, F). Take 
any y G T n ^4. By the induction hypothesis for y, we get (p {y, F) and the claim. 

• (L ,/ a) Follows by Lemma [8. 101 D 

Lemma 8.12. For any term t{a) and any formula ipia), IZF/jh Va. t^{a) = t{a) A(j)^{a) ^-> 
</>(«)■ 

Proof. By induction on the generation of terms and formulas. Case t of: 

• a,cj,0. The proof is obvious. 

• {ti,t2}- By the induction hypothesis, tj = ti and t^ = ^2- So if a G {tf , t^}, then a = ti 
or a = i2) so a G {ii,i2}- The other direction is symmetric. 

• [jti. By the induction hypothesis, tJ = ti. li a £ [jtj, then there is b such that 
a (z b (z tJ , so b £ ti and a G IJti. The other direction is symmetric. 

• -P(ti). By the induction hypothesis, tf = ti. If a G P{tJ) flT, then a C tJ, so also a C ti 
and consequently a G -P(ti)- On the other hand, if a G -P(ii), then by 1^ = T we also get 
a£T,soa£ (P(ii))^. 

• {x G ti I (/>(x,m)}. By the induction hypothesis, tJ = ti,tF = u. Suppose a G {x G 
ti I (/>-^(x, U"^)}. Then a G tJ", so a G ii. Since (t)^{a,u^) and we work in IZF^, 4)^{a,u). 
By the induction hypothesis, 4>{a,u), so a G {x G ii | <j){x,u)}. The other direction is 
symmetric. 

• {y I Vx G ti 3ly.(f){x, y, u) A 3x G ti. <l){x, y, u)}. By the induction hypothesis, tJ = ti and 

n^ = u. Suppose a G {y | Vx G ti 3\y .(p{x , y , u) A 3x G ti. 4>{x,y,u)}'^ . Then: 

— For all X G t^ there is exactly one y € T such that (f) {x,y,ur). By the induction 
hypothesis and y = T, we also have for all x G ti there is exactly one y such that 
(t){x,y,u). 

— There is x G if such that a £ T and (j) {x,a,il ). Then also there is x G ti such that 
(j){x, a,u). 

Altogether, a G {y | Vx G ti 3\y.(j){x,y,u) A 3x G ti. (^(x,y, n)}. The other direction is 
similar. 

For the formulas, we show representative cases. Case (p of: 

• t G s. By the induction hypothesis, t^ = t and s^ = s, so by the Leibniz axiom t^ G s'^ 
is equivalent to t G s. 

• Va. (f>i. Suppose Va. 0i, then since ^ = T we have Va G T. cpi. By the induction 
hypothesis, Va G T. (f[. The other direction is similar. □ 



Lemma 8.13. IZF^jh (/> iff IZF^h 0^ . 

Proof. The left-to-right direction fohows by Theorem 18.111 For the right-to-left direction, 
if IZF^h (/>^, then also IZF/jh (p"^ and Lemma 18.121 shows the claim. 

Proof. 

Corollary 8.14. IZF/j satisfies DP, NEP and TEP. 

Proof For DP, suppose IZF^jh </> V V- By Lemma EH IZF^h (p"^ V V^. By DP for IZF^, 
either IZF^h cf^ or IZF^h tp'^ . Using Lemma [8. 131 again we get either IZF^h (j) or IZFijh tp. 

For NEP, suppose IZFrK 3x. x e uj A (pix). By Lemma [8T3l IZF;^h 3x. x eT Ax e 
w^. (^^(x), so IZF^h 3x € w^. X G T A (/>^(3;). Since w^ = w, using NEP for IZF^ 
we get a natural number n such that IZF~^\- 3x G uj. x G T A <j)^ {x) A x = n, thus 
also IZF^h 3x £ T. x £ to A (p (x) A x = n. By Lemma 18.131 and n = n , we get 
IZF/jh 3x. (j){x) Ax = n. By the Leibniz axiom, IZF/jh (j){n). 

For TEP, suppose IZFrK 3x. (pix). By Lemma EH IZF^h 3x £ T. (p^{x). By TEP 
for IZF^, there is a term t such that IZF^jh (p'^{t). This implies IZF/jh cp'^{t). By Lemma 
[HJ2l t^ = t, so by the Leibniz axiom in IZFr we get IZF/jh (/>^(t^). Since (^'^(t^) = (/'(t)'^, 
by Lemma [8T2] we get IZFrH (p{t). D 

Corollary 8.15 (Set Existence Property). If IZF^I- 3x. (p{x) and 4>{x) is term-free, then 
there is a term-free formula 'ip{x) such that IZF/jh 3!x. (/)(x) A tp{x). 

Proof. Take the closed t from Term Existence Property, so that IZF/jh (/>(t). By Corollary 
13.21 there is a term-free formula ipix) defining t, so that IZF/jh (3!x. ip{x)) A ip{t). Then 
IZFijh 3\x. (p{x) A iplx) can be easily derived. □ 

A different technique to tackle the problem of Leibniz axiom, used by Friedman in 
[Fri73j . is to define new membership (€*) and equality (~) relations in an intensional uni- 
verse from scratch, so that (y, G*,~) interprets his intuitionistic set theory along with 
Leibniz axiom. Our T, on the other hand, utilizes existing €,= relations. We present 
an alternative normalization proof, where the method to tackle Leibniz axiom is closer to 
Friedman's ideas, in [Moc06b] . 

9. Related work 

Several normalization results for impredicative constructive set theories much weaker 
than IZF/j exist. Bailin |Bai88j proved strong normalization of a constructive set theory 
without the induction and replacement axioms. Miquel interpreted a theory of similar 
strength in a Pure Type System |Miq04| . In |Miq03| he also defined a strongly normalizing 
lambda calculus with types based on Fuj.2, capable of interpreting IZFc without the G- 
induction axiom. This result was later extended — Dowek and Miquel [DM06J interpreted 
a version of constructive Zermelo set theory in a strongly normalizing deduction-modulo 
system. 

Krivine [LKOlj defined realizability using lambda calculus for classical set theory con- 
servative over ZF. The types for the calculus were defined. However, it seems that the types 
correspond more to the truth in the realizability model than to provable statements in the 
theory. Moreover, the calculus does not even weakly normalize. 

The standard metamathematical properties of theories related to IZFjj are well inves- 
tigated. Myhih |Myh73| showed DP, NEP, SEP and TEP for IZF with Replacement and 



non-recursive list of set terms. Friedman and Scedrov |FS83j showed SEP and TEP for 
an extension of that theory with countable choice axioms. Recently DP and NEP were 
shown for IZFc extended with various choice principles by Rathjen [RatOGj . However, the 
technique does not seem to be strong enough to provide TEP and SEP. 

In [Moc06b] . we show normalization of IZF^j extended with a;-many inaccessible sets. 
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